Hello,
Is this a legitimate email? What whith all the /cpsessxxxxx/.... request ?

My guess would be a routing problem in your nginx/apache conf.
SOGo only set cookie on path /SOGo and the server should only receive request on /SOGo/ too.
I think in your case the /cpsess.../ are actually send to SOGo + without the cookie as the url is not on path /SOGo. But SOGo seeing a weird request, decides to discard the auth cookie anyway.

Check in your nginw/apache that only /SOGo/ url are send to SOGo server and the others (/cpsess) are send to cpsess and not SOGo.

Is this a legitimate email? What whith all the /cpsessxxxxx/.... request ?
Yes, is a legitimate email sended from roundcube (cPanel)

My guess would be a routing problem in your nginx/apache conf.
SOGo only set cookie on path /SOGo and the server should only receive request on /SOGo/ too.
I think in your case the /cpsess.../ are actually send to SOGo + without the cookie as the url is not on path /SOGo. But SOGo seeing a weird request, decides to discard the auth cookie anyway.
I changed nginx location config from
location ^~ / {
to
location ^~ /SOGo/ {
It's change error code from 200 to 403.
Now SOGo not logout user, also in debugger I view request load it's images by broken URL.
In SOGo settings I setup option "Mail" -> "Display remote inline images" -> "Never".
Why SOGo load it's images on Reply message?